Commit 4a0e4c85 authored by Daniel Gerhardt's avatar Daniel Gerhardt

Fix access to disabled features for unauthenticated users

Unauthenticated users had access to disabled features of public
projects. The code has been slightly refactored so that feature checks
are done in a separate method and can also be applied for public access.
parent e8aaf568
Please view this file on the master branch, on stable branches it's out of date. Please view this file on the master branch, on stable branches it's out of date.
v 7.14.0 (unreleased) v 7.14.0 (unreleased)
- Fix access to disabled features for unauthenticated users (Daniel Gerhardt)
- Fix OAuth provider bug where GitLab would not go return to the redirect_uri after sign-in (Stan Hu) - Fix OAuth provider bug where GitLab would not go return to the redirect_uri after sign-in (Stan Hu)
- Fix file upload dialog for comment editing (Daniel Gerhardt) - Fix file upload dialog for comment editing (Daniel Gerhardt)
- Expire Rails cache entries after two weeks to prevent endless Redis growth - Expire Rails cache entries after two weeks to prevent endless Redis growth
......
...@@ -31,7 +31,7 @@ class Ability ...@@ -31,7 +31,7 @@ class Ability
end end
if project && project.public? if project && project.public?
[ rules = [
:read_project, :read_project,
:read_wiki, :read_wiki,
:read_issue, :read_issue,
...@@ -42,6 +42,8 @@ class Ability ...@@ -42,6 +42,8 @@ class Ability
:read_note, :read_note,
:download_code :download_code
] ]
rules - project_disabled_features_rules(project)
else else
group = if subject.kind_of?(Group) group = if subject.kind_of?(Group)
subject subject
...@@ -102,28 +104,7 @@ class Ability ...@@ -102,28 +104,7 @@ class Ability
rules -= project_archived_rules rules -= project_archived_rules
end end
unless project.issues_enabled rules - project_disabled_features_rules(project)
rules -= named_abilities('issue')
end
unless project.merge_requests_enabled
rules -= named_abilities('merge_request')
end
unless project.issues_enabled or project.merge_requests_enabled
rules -= named_abilities('label')
rules -= named_abilities('milestone')
end
unless project.snippets_enabled
rules -= named_abilities('project_snippet')
end
unless project.wiki_enabled
rules -= named_abilities('wiki')
end
rules
end end
end end
...@@ -205,6 +186,33 @@ class Ability ...@@ -205,6 +186,33 @@ class Ability
] ]
end end
def project_disabled_features_rules(project)
rules = []
unless project.issues_enabled
rules += named_abilities('issue')
end
unless project.merge_requests_enabled
rules += named_abilities('merge_request')
end
unless project.issues_enabled or project.merge_requests_enabled
rules += named_abilities('label')
rules += named_abilities('milestone')
end
unless project.snippets_enabled
rules += named_abilities('project_snippet')
end
unless project.wiki_enabled
rules += named_abilities('wiki')
end
rules
end
def group_abilities(user, group) def group_abilities(user, group)
rules = [] rules = []
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment